From 46500a0e7450ce03f2cf79bb1b3f4611ab71f873 Mon Sep 17 00:00:00 2001
From: eug-L <eugene4198@gmail.com>
Date: Wed, 5 Mar 2025 10:09:52 +0800
Subject: [PATCH 1/4] add js api key field & hashing for visitor recognition

---
 src/core/TawktoGenerator.php | 103 ++++++++++++++++++++++++++++++++++-
 1 file changed, 100 insertions(+), 3 deletions(-)

diff --git a/src/core/TawktoGenerator.php b/src/core/TawktoGenerator.php
index cbd870a..b20c328 100644
--- a/src/core/TawktoGenerator.php
+++ b/src/core/TawktoGenerator.php
@@ -54,12 +54,22 @@ public function getWidget() {
     $display_opts = $options;
     // Default value.
     $enable_visitor_recognition = TRUE;
+    $secure_mode_enabled = FALSE;
+    $js_api_key = NULL;
     if (!is_null($display_opts)) {
       $display_opts = json_decode($display_opts);
 
       if (!is_null($display_opts->enable_visitor_recognition)) {
         $enable_visitor_recognition = $display_opts->enable_visitor_recognition;
       }
+
+      if (!is_null($display_opts->secure_mode_enabled)) {
+        $secure_mode_enabled = $display_opts->secure_mode_enabled;
+      }
+
+      if (!is_null($display_opts->js_api_key)) {
+        $js_api_key = $display_opts->js_api_key;
+      }
     }
 
     if ($enable_visitor_recognition) {
@@ -67,11 +77,22 @@ public function getWidget() {
       if ($user) {
         $username = $user->get('name')->value;
         $usermail = $user->get('mail')->value;
+        $hash = NULL;
+
+        $keyModule = $this->getKeyModule();
+        $keys = $keyModule['keys'];
+
+        if ($secure_mode_enabled) {
+          if (!is_null($js_api_key) && isset($keys[$js_api_key])) {
+            $hash = hash_hmac('sha256', $usermail, $keys[$js_api_key]->getKeyValue());
+          }
+        }
 
         $apiString = 'Tawk_API.visitor = {
                     name  : "' . $username . '",
-                    email : "' . $usermail . '",
-                };';
+                    email : "' . $usermail . '",' .
+                    (!is_null($hash) ? PHP_EOL . 'hash  : "' . $hash . '",' : '') .
+                '};';
       }
     }
 
@@ -95,6 +116,26 @@ public function getWidget() {
           return $output;
   }
 
+  /**
+   * Get keys.
+   *
+   * @return array
+   *   Key module installed and keys
+   */
+  private function getKeyModule() {
+    $installed = \Drupal::getContainer()->has('key.repository');
+    $keys = [];
+
+    if ($installed) {
+      $keys = \Drupal::service('key.repository')->getKeys();
+    }
+
+    return [
+      'installed' => $installed,
+      'keys' => $keys,
+    ];
+  }
+
   /**
    * Check widget visibility based on set options.
    *
@@ -214,6 +255,11 @@ public function getIframe() {
     if (!is_null($display_opts)) {
       $display_opts = json_decode($display_opts);
     }
+
+    $keyModule = $this->getKeyModule();
+    $keyModuleInstalled = $keyModule['installed'];
+    $keys = $keyModule['keys'];
+
     ob_start();
     ?>
         <link href="https://plugins.tawk.to/public/bootstrap/css/bootstrap.min.css" rel="stylesheet">
@@ -284,7 +330,7 @@ public function getIframe() {
                     <form id="module_form" class="form-horizontal" action="" method="post">
                         <div id="fieldset_1">
                             <div class="panel form-group col-xs-12">
-                                <div class="panel-heading"><strong>Visibility Settings</strong></div>
+                                <div class="panel-heading"><strong>Visibility Options</strong></div>
                             </div>
                             <div class="form-group col-xs-12">
                                 <label for="always_display" class="col-xs-6 control-label">Always show Tawk.To widget on every page</label>
@@ -453,6 +499,52 @@ public function getIframe() {
                                 </div>
                             </div>
                         </div>
+                        <div id="fieldset_3">
+                            <div class="panel form-group col-xs-12">
+                                <div class="panel-heading"><strong>Security Options</strong></div>
+                            </div>
+                            <div class="form-group col-xs-12">Note: If Secure Mode is enabled on your property, please enter your Javascript API Key to ensure visitor recognition works correctly.</div>
+                            <div class="form-group col-xs-12">
+                                <label for="secure_mode_enabled" class="col-xs-6 control-label">Secure mode enabled</label>
+                                <div class="col-xs-6 control-label">
+                                    <?php
+                                    $checked = 'checked';
+                                    if (!is_null($display_opts) && !$display_opts->secure_mode_enabled) {
+                                      $checked = '';
+                                    }
+                                    ?>
+                                    <input type="checkbox" class="checkbox" name="secure_mode_enabled" id="secure_mode_enabled" value="1"
+                                        <?php echo $checked ?> />
+                                </div>
+                            </div>
+                            <div class="form-group col-xs-12">
+                                <label for="enable_visitor_recognition" class="col-xs-6 control-label">JavaScript API Key</label>
+                                <div class="col-xs-6 control-label" style="text-align: justify;">
+                                    <?php if (!$keyModuleInstalled) { ?>
+
+                                      <span>The <a target="_blank" href="https://www.drupal.org/project/key">Key</a> module is not installed. Please install it and create a key for JS API Key.</span>
+
+                                    <?php }
+                                    else { ?>
+
+                                      <span>Keys:</span>
+                                      <select name="js_api_key" id="js_api_key">
+                                        <?php
+                                        foreach (array_keys($keys) as $key) {
+                                          $selected = 'selected';
+                                          if (!is_null($display_opts) && $display_opts->js_api_key !== $key) {
+                                            $selected = '';
+                                          }
+                                          ?>
+                                          <option value="<?php echo $key; ?>" <?php echo $selected; ?>><?php echo $key; ?></option>
+                                        <?php } ?>
+                                      </select>
+                                      <div>To create a new key, go to <a href="/admin/config/system/keys">/admin/config/system/keys</a></div>
+
+                                    <?php } ?>
+                                </div>
+                            </div>
+                        </div>
                         <div class="panel-footer">
                             <div class="col-lg-6 col-xs-12" style="text-align: right; margin-bottom: 10px;">
                                 <button type="submit" value="1" id="module_form_submit_btn" name="submitBlockCategories" class="btn btn-default pull-right"><i class="process-icon-save"></i> Save</button>
@@ -685,10 +777,15 @@ public function setOptions($options) {
           $jsonOpts[$column] = json_encode($non_empty_values);
           break;
 
+        case 'js_api_key':
+          $jsonOpts[$column] = trim($value);
+          break;
+
         case 'show_onfrontpage':
         case 'show_oncategory':
         case 'always_display':
         case 'enable_visitor_recognition':
+        case 'secure_mode_enabled':
           $jsonOpts[$column] = $value == 1;
           break;
       }

From cabfc6e89d5121556fd467818cad04aad68a0ae9 Mon Sep 17 00:00:00 2001
From: eug-L <eugene4198@gmail.com>
Date: Tue, 11 Mar 2025 14:13:32 +0800
Subject: [PATCH 2/4] escape username

---
 src/core/TawktoGenerator.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/core/TawktoGenerator.php b/src/core/TawktoGenerator.php
index b20c328..ce996cc 100644
--- a/src/core/TawktoGenerator.php
+++ b/src/core/TawktoGenerator.php
@@ -6,6 +6,7 @@
   require_once __DIR__ . '/../../vendor/autoload.php';
 }
 
+use Drupal\Component\Utility\Html;
 use Drupal\Core\Cache\Cache;
 use Drupal\user\Entity\User;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -89,7 +90,7 @@ public function getWidget() {
         }
 
         $apiString = 'Tawk_API.visitor = {
-                    name  : "' . $username . '",
+                    name  : "' . Html::escape($username) . '",
                     email : "' . $usermail . '",' .
                     (!is_null($hash) ? PHP_EOL . 'hash  : "' . $hash . '",' : '') .
                 '};';

From 28ffdd4d7b98df473a53b461125b0f9a3bac276a Mon Sep 17 00:00:00 2001
From: eug-L <eugene4198@gmail.com>
Date: Tue, 11 Mar 2025 14:20:57 +0800
Subject: [PATCH 3/4] get single key entity

---
 src/core/TawktoGenerator.php | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/src/core/TawktoGenerator.php b/src/core/TawktoGenerator.php
index ce996cc..27433b4 100644
--- a/src/core/TawktoGenerator.php
+++ b/src/core/TawktoGenerator.php
@@ -80,12 +80,11 @@ public function getWidget() {
         $usermail = $user->get('mail')->value;
         $hash = NULL;
 
-        $keyModule = $this->getKeyModule();
-        $keys = $keyModule['keys'];
+        if ($secure_mode_enabled && !is_null($js_api_key)) {
+          $key = $this->getKey($js_api_key);
 
-        if ($secure_mode_enabled) {
-          if (!is_null($js_api_key) && isset($keys[$js_api_key])) {
-            $hash = hash_hmac('sha256', $usermail, $keys[$js_api_key]->getKeyValue());
+          if (!is_null($key)) {
+            $hash = hash_hmac('sha256', $usermail, $key);
           }
         }
 
@@ -137,6 +136,26 @@ private function getKeyModule() {
     ];
   }
 
+  /**
+   * Get key value.
+   *
+   * @param string $key_id
+   *   Key ID.
+   *
+   * @return string|null
+   *   Key value.
+   */
+  private function getKey($key_id) {
+    $installed = \Drupal::getContainer()->has('key.repository');
+
+    if (!$installed) {
+      return NULL;
+    }
+
+    $key = \Drupal::service('key.repository')->getKey($key_id);
+    return $key->getKeyValue();
+  }
+
   /**
    * Check widget visibility based on set options.
    *

From 82918b9762ee9674e93d8bbca003a3a409a35583 Mon Sep 17 00:00:00 2001
From: eug-L <eugene4198@gmail.com>
Date: Tue, 11 Mar 2025 15:27:49 +0800
Subject: [PATCH 4/4] limit key selection to authentication type

---
 src/core/TawktoGenerator.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/core/TawktoGenerator.php b/src/core/TawktoGenerator.php
index 27433b4..f38843e 100644
--- a/src/core/TawktoGenerator.php
+++ b/src/core/TawktoGenerator.php
@@ -127,7 +127,7 @@ private function getKeyModule() {
     $keys = [];
 
     if ($installed) {
-      $keys = \Drupal::service('key.repository')->getKeys();
+      $keys = \Drupal::service('key.repository')->getKeysByType('authentication');
     }
 
     return [
@@ -542,13 +542,14 @@ public function getIframe() {
                                 <div class="col-xs-6 control-label" style="text-align: justify;">
                                     <?php if (!$keyModuleInstalled) { ?>
 
-                                      <span>The <a target="_blank" href="https://www.drupal.org/project/key">Key</a> module is not installed. Please install it and create a key for JS API Key.</span>
+                                      <span>The <a target="_blank" href="https://www.drupal.org/project/key">Key</a> module is not installed. Please install it and create an <b>Authentication</b> key for JS API Key.</span>
 
                                     <?php }
                                     else { ?>
 
                                       <span>Keys:</span>
                                       <select name="js_api_key" id="js_api_key">
+                                        <option value="">Select a key</option>
                                         <?php
                                         foreach (array_keys($keys) as $key) {
                                           $selected = 'selected';
@@ -559,7 +560,7 @@ public function getIframe() {
                                           <option value="<?php echo $key; ?>" <?php echo $selected; ?>><?php echo $key; ?></option>
                                         <?php } ?>
                                       </select>
-                                      <div>To create a new key, go to <a href="/admin/config/system/keys">/admin/config/system/keys</a></div>
+                                      <div>To create a new key, go to <a href="/admin/config/system/keys">/admin/config/system/keys</a>.<br>Tawk.to will use an <b>Authentication</b> key to secure the visitor recognition.</div>
 
                                     <?php } ?>
                                 </div>